CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings

Software debloating is an emerging field of study aimed at improving the security and performance of software by removing excess library code and features that are not needed by the end user (called bloat). Software bloat is pervasive, and several debloating techniques have been proposed to address this problem. While these techniques are effective at removing bloat, they are not practical for the average end user, risk creating unsound programs and introducing new vulnerabilities, and are not well suited for debloating complex software such as network protocol implementations. In this paper, we propose CARVE, a simple yet effective security-focused debloating technique that addresses these shortcomings. CARVE employs static source code annotation to map software features to source code, eliminating the need for advanced software analysis during debloating and reducing the overall level of technical sophistication required by the end user. CARVE also introduces the concept of debloating with replacement, which is capable of removing software features while preserving software interoperability and mitigating the risk of creating an unsound program or introducing a vulnerability. We evaluate CARVE in 12 debloating scenarios and present our results demonstrating security and performance improvements that meet or exceed those of existing techniques.